5 Things You Should Know About PCI Compliance
Remember those strange bright signs marking vehicles transporting chemicals by road? Or those movies with guys, whose faces you cannot see, because they are wearing hermetic protective suits? How are they carefully holding strange tubes with some shiny substances? Or special cases marked with a red cross containing human organs for transplantation? Surely, you’ve seen one in the final scene of “The Real McCoy,” haven’t you?
Now imagine that a police officer halted you on the road. What happens if he finds an ordinary bag with… dangerous chemicals, bacteria, or biologically active materials on the back seat of your car? I’m not sure about the details, but such a situation will definitely, get you into trouble.
Well, PCI compliance is about very similar things and situations. PCI stands for the payment card industry. If you are accepting electronic payments, you are transferring lots of important data. Thus, this payment card data is vitally important because it is the “lifeblood” of the payment card industry. It is like each cardholder is telling you some particular unique secret you should keep. And if you do not properly handle and protect this data, you are to face the consequences. The very possibility of such a data security breach makes you guilty. Unless you take the necessary precautions, imposed by PCI standard.
5 basic things about PCI compliance you should know:
- If you want to accept electronic payments, you have to deal with PCI compliance requirements. You should either handle payment card data (and face the PCI implications) yourself or delegate the task to some third party. (Remember the guys in protective suits? That’s your third party). The latter option allows you to reduce your PCI exposure or even totally get out of PCI scope.
- Handling of cardholder data involves two aspects: cardholder data flow and cardholder data storage. (So to speak, the tank and the lorry for your dangerous chemicals.) You need to store card data if your customers make recurring payments, or for statistical research of your customer base. These are the two most common reasons.
- A standard method allowing you to ensure the security of cardholder data is tokenization. Tokens replace actual card numbers. This way, the software, and hardware do not “touch” them. Besides these two most common approaches are tokenization-as-service and tokenization-through-appliance.
- There are 4 PCI compliance levels. Your PCI compliance level depends primarily on your processing volume and the average number of transactions you process on a regular (say, monthly) basis. In case, your processing volume is relatively small, then you are a Level 4 merchant. However, PCI audit means just the completion of a simple form. For higher-level merchants, PCI audit is more rigorous. Furthermore, it costs up to approximately $40,000 annually. (The more dangerous chemicals you are carrying, the thicker your tank should be).
- PA-DSS is a “stronger” standard than PCI DSS because PA-DSS requirements concern actual payment applications you are using to accept payments. If all your software is PA-DSS compliant, then your business is automatically PCI-compliant.
These are just the basics. Although, cardholder data is not as similar to energy carriers and chemicals as we implied. Do you want to acquire a more profound knowledge of the subject? If yes, you are welcome to read the following series of articles: Security & PCI – Paylosophy.